"value":"On January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we\u2019ve learned, and what our plans are to continuously improve our security posture for the future.\r\n\r\nWe would like to thank our customers for your attention to rotating and revoking secrets, and apologize for any disruption this incident may have caused to your work. We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores. Additionally, we want to thank our customers and our community for your patience while we have been conducting a thorough investigation. In aiming for responsible disclosure, we have done our best to balance speed in sharing information with maintaining the integrity of our investigation."
"name":"Report from - https://circleci.com/blog/jan-4-2023-incident-report/ (1674115837)",
"content":"Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Twitter\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"LinkedIn\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Facebook\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Reddit\")>ShareonHackerNews\r\n\r\n\r\nOnJanuary4,2023,wealertedcustomerstoasecurityincident.Today,wewanttosharewithyouwhathappened,whatwe\u2019velearned,andwhatourplansaretocontinuouslyimproveoursecuritypostureforthefuture.\r\n\r\nWewouldliketothankourcustomersforyourattentiontorotatingandrevokingsecrets,andapologizeforanydisruptionthisincidentmayhavecausedtoyourwork.Weencouragecustomerswhohaveyettotakeactiontodosoinordertopreventunauthorizedaccesstothird-partysystemsandstores.Additionally,wewanttothankourcustomersandourcommunityforyourpatiencewhilewehavebeenconductingathoroughinvestigation.Inaimingforresponsibledisclosure,wehaved@[tag](one)ourbesttobalancespeedinsharinginformationwithmaintainingtheintegrityofourinvestigation.\r\n\r\n#Thisreportwillcover@[tag](:)\r\n\r\n\r\n*Whathappened?\r\n*Howdoweknowthisattackvectorisclosedandit\u2019ssafetobuild?\r\n*Communicationandsupportforcustomers\r\n*HowdoIknowifIwasimpacted?\r\n*Detailsthatmayhelpyourteamwithinternalinvestigations\r\n*Whatwelearnedfromthisincidentandwhatwewilldonext\r\n*Anoteonemployeeresponsibilityvs.systemssafeguards\r\n*Securitybestpractices\r\n*Closingthoughts\r\n\r\n##Whathappened?\r\n\r\n*AlldatesandtimesarereportedinUTC,unlessotherwisenoted.*\r\n\r\nOnDecember29,@[tag](2022),wewerealertedto@[tag](suspicious)GitHubOAuthactivityby@[tag](one)ofourcustomers.ThisnotificationkickedoffadeeperreviewbyCircleCI\u2019ssecurityteamwithGitHub.\r\n\r\nOnDecember30,@[tag](2022),welearnedthatthiscustomer\u2019sGitHubOAuthtokenhadbeencompromisedbyanunauthorizedthirdparty.Althoughthatcustomerwasabletoquicklyresolvetheissue,outofanabundanceofcaution,onDecember31,@[tag](2022),weproactivelyinitiatedtheprocessofrotatingallGitHubOAuthtokensonbehalfofourcustomers.DespiteworkingwithGitHubtoincreaseAPIratelimits,therotationprocesstooktime.Whileitwasnotclearatthispointwhetherothercustomerswereimpacted,wecontinuedtoexpandthescopeofouranalysis.\r\n\r\nByJanuary4,2023,ourinternalinvestigationhaddeterminedthescopeoftheintrusionbytheunauthorizedthirdpartyandtheentrypathoftheattack.Todate,wehavelearnedthatanunauthorizedthirdpartyleveragedmalwaredeployedtoaCircleCIengineer\u2019slaptopinordertostealavalid,2FA-backedSSOsession.ThismachinewascompromisedonDecember16,@[tag](2022).Themalwarewasnotdetectedbyourantivirussoftware.Ourinvestigationindicatesthatthemalwarewasabletoexecutesessioncookietheft,enablingthemtoimpersonatethetargetedemployeeinaremotelocationandthenescalateaccesstoasubsetofourproductionsystems.\r\n\r\nBecausethetargetedemployeehadprivilegestogenerateproductionaccesstokensaspartoftheemployee\u2019sregularduties,theunauthorizedthirdpartywasabletoaccessandexfiltrate@[tag](data)fromasubsetof@[tag](data)basesandstores,includingcustomerenvironmentvariables,tokens,andkeys.WehavereasontobelievethattheunauthorizedthirdpartyengagedinreconnaissanceactivityonDecember19,@[tag](2022).OnDecember22,@[tag](2022),exfiltrationoccurred,andthatisourlastrecordofunauthorizedactivityinourproductionsystems.Thoughallthe@[tag](data)exfiltratedwas@[tag](encrypted)atrest,thethirdparty@[tag](extracted)encryptionkeysfromarunningprocess,enablingthemtopotentiallyaccessthe@[tag](encrypted)@[tag](data).\r\n\r\nWhileweareconfidentinthe